May 26, 2020

California Attorney General Proposes Further Modifications to Proposed CCPA Regulations

On March 11, 2020, the California Attorney General (“AG”) published a second round of modifications to the proposed regulations under the California Consumer Privacy Act of 2018 (“CCPA”). The AG initially published the proposed regulations in October 2019 and then published modifications to such proposed regulations in February 2020. The deadline for submitting comments on this draft of modifications to the proposed CCPA regulations is Friday, March 27, 2020, at 5:00 p.m. PDT.

The March 27, 2020, 5:00 p.m. timetable indicates that the final rules may be in force before the July 1, 2020, deadline set by the CCPA. Organizations currently working toward CCPA compliance should expect the AG to commence investigative activity as soon as the rulemaking process concludes.

What Has Changed?

The modifications are generally minor and technical, with a few exceptions. The modifications were made in response to approximately 100 comments received on the second draft of the proposed regulations that were submitted to the AG’s office between February 7, 2020 and February 25, 2020.

The most recent modifications to the proposed regulations include the following:

  • Clarifying the Definition of “Financial Incentive”- clarification that a “financial incentive” includes payments or offerings to consumers that are “related to the collection, retention, or sale of personal information”. This wording is clearer than the previous draft of the regulations, which described a financial incentive as payments or offerings to consumers “as compensation, for the disclosure, deletion, or sale of personal information”.  The new language also resolves an inconsistency between the description of financial incentives in the statute and the definition of the term in the previous version of the proposed regulations.

  • Deletion of Interpretive Guidance on Definition of “Personal Information”- deletion of Section 302, which had proposed a more subjective test for determining when information is “personal information” for CCPA purposes. The deleted text had helpfully provided that what information is to be considered “personal information” for a given business depends on how such business maintains the information in question. The regulations now are more in line with other robust data privacy regimes such as the EU’s General Data Protection Regulation.

  • Personal Information Collected Indirectly- clarification that businesses who collect personal information from sources other than the consumer do not have to provide a notice at collection to the consumers to whom the personal information relates, unless the business sells such personal information. In that case, the business will presumably need to provide a notice at collection to such consumers prior to selling the personal information, though this requirement is no longer explicitly reflected in the proposed regulations. This revision leaves businesses that are not data brokers but that sell personal information collected indirectly with a challenging obligation.

  • Notice at Collection for Employees and Contractors- the notice at collection for employees and contractors is no longer required to include a link to the business’s privacy policy.

  • Privacy Policy Disclosures- re-introduction of a requirement for businesses to include in their privacy policy the categories of sources from which the business collects personal information and the business or commercial purpose(s) for collecting or selling personal information. This information does not need to be broken out for each category of personal information collected.  This revision resolves an inconsistency between the statute and previous versions of the proposed regulations and aligns the disclosures in the privacy policy with the disclosures required when a consumer exercises the “right to know”.

  • Sale of Personal Information of Minors- introduction of a new requirement that if a business has actual knowledge that it sells the personal information of minors under 16 years of age, a description of the process for opting in to (and subsequently opting out of) such sales must be included in the business’s privacy policy.

  • Sensitive Personal Information- introduction of a new requirement to disclose in response to consumers seeking to know what personal information a business has about them, whether it has collected certain types of sensitive personal information (Social Security numbers, driver’s license numbers and financial account numbers, etc.) without actually disclosing the personal information itself. For example, a business must disclose that it collects “unique biometric data including a fingerprint scan” without disclosing the actual fingerprint scan data.

  • Opt-Out Rights- introduction of a requirement that a business that denies a consumer’s request to delete and that sells personal information to ask the consumer if they would like to opt out of the sale of their personal information if the consumer has not already exercised such right. Under the previous version of the proposed regulations, this obligation only arose when a business could not verify the consumer’s identity; in this version, the business has the obligation when the request is denied for whatever reason, including the various statutory bases for denying such a request.

  • Opt-out button- elimination of the section addressing the format of an “opt-out button or logo.” It is unclear why the section was erased, given that the CCPA explicitly requires the AG to “establish rules and procedures” for the “development and use of a recognizable and uniform opt-out logo or button by all businesses to promote consumer awareness of the opportunity to opt-out of the sale of personal information” on or before July 1, 2020.

  • Privacy controls- elimination of the provision introduced in the prior round of modifications for privacy controls to require that the consumer affirmatively select their choice to opt-out” and that they not be “designed with any pre-selected settings.” The deletion of these provisions suggests that the AG expects business to honor privacy controls regardless of whether the pre-selected settings are privacy protective or not.

Some other interesting revisions include clarifications to the proposed regulations regarding service providers and record keeping.

What Will Happen Next?

The AG is currently accepting written comments on the proposed changes and documents relied on in the rulemaking. Comments must be submitted to the AG no later than 5:00 p.m. PDT on Friday, March 27, 2020, by email to privacyregulations@doj.ca.gov, or by regular mail at the following address:

Lisa B. Kim

Privacy Regulations Coordinator

California Office of the Attorney General

300 South Spring Street, First Floor

Los Angeles, CA 90013

The AG will review and respond to all timely received comments pertinent to the changes proposed. In order to finalize the rules, the AG will prepare and submit the final rulemaking record to the Office of Administrative Law (OAL) for approval. This record will include the Final Statement of Reasons, in which the AG will summarize and respond to the public comments received. The OAL will then have 30 working days to determine whether the record satisfies procedural requirements under California law. If the requirements are met, the regulations will be adopted as final and filed with the California Secretary of State.

Given the California AG’s timetable, the regulations may come into force as early as May 2020. Companies defined as businesses, service providers and data brokers under the CCPA should, therefore move promptly to evaluate any changes that may be required to their privacy policies, notices, consumer rights response procedures, service provider contracts, and other CCPA documentation and practices under the modifications to the proposed regulations.

© Copyright 2020 Squire Patton Boggs (US) LLP

TRENDING LEGAL ANALYSIS


About this Author

Glenn Brown Cybersecurity Attorney Squire Patton Boggs
Of Counsel

A senior member of our Data Privacy & Cybersecurity Practice Group, Glenn Brown provides business-oriented advice to clients in numerous industries on data privacy and regulatory compliance matters, including regulatory investigations and examinations. He has experience driving privacy and compliance priorities within organizations and providing strategic counsel regarding privacy, compliance and risk to support the growth and success of the business.

Glenn also has deep experience advising clients regarding compliance with many of the US...

678 272 3235
Elliot Golding Privacy and Cybersecurity Attorney Squire Patton Boggs
Partner

Elliot Golding is a member of Squire Patton Boggs' Data Privacy & Cybersecurity Practice and Healthcare Industry Group leadership team, where he provides business-oriented privacy and cybersecurity advice to a wide range of clients, with a particular focus on companies handling healthcare and other personal data. He was selected as an honoree in Global Data Review’s inaugural 40 Under 40 list, which recognizes those who “represent the best and the brightest of the data law bar around the world.”

Elliot partners with clients to proactively manage risk by developing and implementing information governance programs, drafting privacy and security policies, preparing and testing data breach response plans, and negotiating complex data agreements. He not only counsels clients about what the law currently requires, but also provides industry context and forward-looking advice that takes into account trends and best practices in developing areas, such as the Internet of Things. In particular, Elliot helps clients understand how personal information may be used and disclosed to support business needs so that companies can stay competitive and compliant in a rapidly evolving environment.

Elliot has also managed dozens of breach response matters for companies through all aspects of investigation, notification, remediation and engagement with regulators (including federal regulators such as the Office of Civil Rights [OCR] and State Attorneys General). Elliot has defended clients in litigation by State Attorneys General under state security breach notification laws and the Health Insurance Portability and Accountability Act (HIPAA) and has helped clients successfully avoid enforcement actions altogether by working directly with regulators during investigations.

Elliot's practice covers a wide range of laws, regulations, industry standards and best practices, such as HIPAA and HITECH; 42 CFR Part 2 (Federal Confidentiality of Alcohol and Drug Abuse Patient Records); Federal Trade Commission (FTC) Act and FTC guidance; state laws and guidance governing privacy, security and breach notification (such as the California Shine the Light law, Lanterman-Petris-Short Act, Confidentiality of Medical Information Act, CalOPPA, and state laws governing sensitive health information); Telephone Consumer Protection Act (TCPA); CAN-SPAM; Gramm-Leach-Bliley Act (GLBA); Children's Online Privacy Protection Act (COPPA); NIST Security Standards; and Payment Card Industry Data Security Standards (PCI-DSS).

Elliot is co-chair of the ABA E-Privacy Law Committee, vice-chair of the ABA Healthcare Technology Committee, vice-chair of the Privacy, Security and Emerging Technology Division for the ABA Section of Science & Technology Law, a member of the Bloomberg BNA Health Care Innovations Board, and a frequent speaker and writer of thought leadership pieces. He is also a Certified Information Privacy Professional (CIPP/US).

202-457-6407
Lydia de la Torre Privacy Lawyer Squire Patton Boggs
Of Counsel

Lydia de la Torre provides strategic privacy compliance advice related to US and EU privacy, including data protection and cybersecurity law, General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), other state’s privacy and cyber laws, US financial privacy laws, and marketing and advertising compliance, as well as information security. She also represents clients in investigations with an eye toward helping them avoid litigation.

Lydia’s work in-house and with organizations has run the gamut, from pre-IPO start-ups...

650 843 3227